Security audit

Prediction markets data - Polymarket, Kalshi markets, prices, positions, and trades

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed read-only client for prediction-market data, but wallet lookups can expose trading history and should be used carefully.

Install only if you trust AIsa with your API key and query history. Treat wallet addresses as sensitive financial identifiers: prefer querying your own or authorized wallets, avoid unnecessary third-party profiling, and use a limited/read-only API key if AIsa supports it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The skill explicitly advertises wallet-specific activity, positions, and P&L lookups without any warning that wallet addresses can reveal sensitive financial behavior and trading history. Even if the underlying data is public or quasi-public, presenting these capabilities without consent, minimization, or privacy guidance can enable doxxing, profiling, and surveillance of users' holdings and behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal